Title: Arbitrary Code Execution Last modified: February 13, 2025 --- # Arbitrary Code Execution * Resolved [bindevid](https://wordpress.org/support/users/bindevid/) * (@bindevid) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/) * WordPress Widget Options Plugin <= 4.1.0 – Arbitrary Code Execution vulnerability * Severity is rated at 9.9!!! Viewing 15 replies - 1 through 15 (of 19 total) 1 [2](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/?output_format=md) [→](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/?output_format=md) * Plugin Author [Mej de Castro](https://wordpress.org/support/users/mej/) * (@mej) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/#post-18305641) * Hi dear users , * Our dev team has recently been informed about this issue and is actively working on a fix. * In the meantime, if you’re not using the **Display Logic** feature, we recommend disabling it to remove the vulnerability notification. * Kind Regards, Mej, Widget Options Team * Thread Starter [bindevid](https://wordpress.org/support/users/bindevid/) * (@bindevid) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/#post-18307740) * Wrong. Disable display logic doesn’t fix it. Severity rating at 9.9. Critical. * Thread Starter [bindevid](https://wordpress.org/support/users/bindevid/) * (@bindevid) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/#post-18310383) * Why hasn’t this been fixed? Severity rating of 9.9 * Plugin Author [Mej de Castro](https://wordpress.org/support/users/mej/) * (@mej) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/#post-18310538) * Hi dear users, * The patch is currently in** **QA testing and will be released soon once the vulnerability is resolved. Stay tuned for updates! * [Marius Sonnentag](https://wordpress.org/support/users/about2press/) * (@about2press) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/#post-18313030) * In my opinion, Patchstack often does not follow the best approach when releasing information about vulnerabilities – but they have there firewall as solution 😉 They tend to announce vulnerabilities before fixes are available, which can be problematic, especially for open-source projects. This approach could lead to unnecessary panic or confusion, especially when there is no immediate solution in sight. While I understand the urgency to inform users, I believe it’s worth considering whether the timeframe could be adjusted to allow for patches to be released before the vulnerabilities are made public. This would give developers time to resolve issues without putting users at risk unnecessarily. * Plugin Author [Mej de Castro](https://wordpress.org/support/users/mej/) * (@mej) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/#post-18313557) * Hi [@bindevid](https://wordpress.org/support/users/bindevid/), * We’re pleased to let you know that a new version has been released, which includes a patch for the vulnerability reported by Patchstack. * Please update to the latest version at your earliest convenience. If you need any further assistance, don’t hesitate to reach out again to us. * Kind Regards, Mej, Widget Options Team * [norwood451](https://wordpress.org/support/users/norwood451/) * (@norwood451) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/#post-18314008) * Thank you for letting us all know. 🙂 * [Éric Martin](https://wordpress.org/support/users/em-m/) * (@em-m) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/#post-18314020) * Thank you [@mej](https://wordpress.org/support/users/mej/) * [Marius Sonnentag](https://wordpress.org/support/users/about2press/) * (@about2press) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/#post-18314093) * 1.000 THANX! * Plugin Author [Mej de Castro](https://wordpress.org/support/users/mej/) * (@mej) * [1 year, 3 months ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18315566) * You’re always welcome! [@norwood451](https://wordpress.org/support/users/norwood451/) [@em-m](https://wordpress.org/support/users/em-m/) [@about2press](https://wordpress.org/support/users/about2press/) * Best Regards, Mej, Widget Options Team * [aparentdesign](https://wordpress.org/support/users/aparentdesign/) * (@aparentdesign) * [10 months, 3 weeks ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18540508) * Hi, the plugin patch seems to just block this feature for non-admin roles, including those created by another role editor plugin. This doesn’t really solve the issue for us, as we reserve the admin role for only the highest level and we have people at editor/manager level who have been managing widgets for years. Are devs working on a better, perhaps WYSIWYG solution that does not require any scripts? that would be ideal. Thx! * Plugin Author [Mej de Castro](https://wordpress.org/support/users/mej/) * (@mej) * [10 months, 3 weeks ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18540866) * Hi [@aparentdesign](https://wordpress.org/support/users/aparentdesign/), * We’ve restricted certain access for user roles lower than Administrator to help prevent potential vulnerabilities within the plugin. * Our team is continuously working to improve the plugin’s functionality while prioritizing security and minimizing any vulnerability concerns. * Thank you for your understanding, and please feel free to reach out if you have any questions or suggestions! * Kind Regards, Mej, Widget Options Team * [aparentdesign](https://wordpress.org/support/users/aparentdesign/) * (@aparentdesign) * [10 months, 2 weeks ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18548678) * [@mej](https://wordpress.org/support/users/mej/) , Thanks, but that solution effectively makes this plugin not useable at all for us. Our workflow is blocked. Is this a short-term solution while devs are working on something better? What other options are there? As I suggested before, you currently use a wysiwyg method for filtering widgets on Pages, i.e., users search for a post and select the name visually rather than inserting any code anywhere. Can we use something like that but applied to Posts, instead of using conditional logic? Has this suggestion been forwarded to devs? It seems like this would not involve a lot of code changes since the functionality exists. -A * Plugin Author [Mej de Castro](https://wordpress.org/support/users/mej/) * (@mej) * [10 months, 2 weeks ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18548840) * Hi [@aparentdesign](https://wordpress.org/support/users/aparentdesign/), * Thanks for the follow-up, and we understand how this is affecting your workflow. * The current workaround is a long-term solution, and we’ve already forwarded your suggestion to the dev team for review. * We’ll keep you updated as soon as we hear back from the team. Thanks again. * Kind Regards, Mej, Widget Options Team * Plugin Author [Mej de Castro](https://wordpress.org/support/users/mej/) * (@mej) * [10 months, 2 weeks ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18550501) * Just a little typo to clarify, [@aparentdesign](https://wordpress.org/support/users/aparentdesign/), the current workaround **isn’t** a long-term solution. We’re actively working on improving the plugin’s functionality to ensure a smoother experience and prevent any ongoing issues for our users. * Kind Regards, Mej, Widget Options Team Viewing 15 replies - 1 through 15 (of 19 total) 1 [2](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/?output_format=md) [→](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/?output_format=md) The topic ‘Arbitrary Code Execution’ is closed to new replies. * ![](https://ps.w.org/widget-options/assets/icon-256x256.gif?rev=2513739) * [Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets](https://wordpress.org/plugins/widget-options/) * [Frequently Asked Questions](https://wordpress.org/plugins/widget-options/#faq) * [Support Threads](https://wordpress.org/support/plugin/widget-options/) * [Active Topics](https://wordpress.org/support/plugin/widget-options/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/widget-options/unresolved/) * [Reviews](https://wordpress.org/support/plugin/widget-options/reviews/) * 28 replies * 6 participants * Last reply from: [Mej de Castro](https://wordpress.org/support/users/mej/) * Last activity: [6 months, 1 week ago](https://wordpress.org/support/topic/arbitrary-code-execution/page/2/#post-18715008) * Status: resolved